Category Archives: Secure things

Secure things

XML Injection For Beginners

Suppose I sent one of my kids to the supermarket with a shopping list. Afterwards I got all the things on the list and the change. How would I know that everything went right?

If there was a discount on an article, then I would get more money back. Or my loyalty card could have been used to get free candy.

The best way is to look at the bill, the money, and the bought items. This is audit in a nutshell.

If you use a screen reader, please configure the screen reader to read interpunctions and symbols aloud.

XML uses special characters like the greater sign (>) and the less than sign (<).

Info about XML basics

The problem with an experience report is, that I make huge jumps in my thoughts. So I put in some chapters with more details. For people unfamiliar with XML, I put “Info about” in the title.

Let me introduce an imaginary small company.
Grey Pizza Pasta is an Italian restaurant which recycles pizzas in pasta. To make it special the pasta is grey for some special reason. It began as a joke and now it is a business.

A big scoop of pasta will cost 3 Euro. What is a scoop?
If it looks like a spoon, can I put a top of pasta on it? What kind of tool can I use to measure it? How do you determine the right amount of pasta?

Mister Grey would like make a row of pasta on the shelf, but which are the first and last ones? How could you tag them?

Maybe it would be better to make small heaps of pasta. The space between the heaps is like a boundary. The pasta between the spaces has been weighted.

According to Wikipedia XML or eXtensible Markup Language is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.

In XML a heap of pasta could be described as follows:

<heap>pasta</heap>

<heap> is called a begin tag. You might call it a starting point.

  • It starts with< or smaller than sign.
  • heap is the description, what it represents.
  • > or greater than sign ends the tag.

</heap> is called an end tag. You might call it an end point. It almost looks like the begin tag. Only a forward slash or / is used before heap.

So everything between <heap> and </heap> is contained in the heap. This is called an element in XML. <heap>pasta</heap> can be described as a heap of pasta.

Is every tag name allowed?
Not really, because it must be defined in an XML Schema. In most cases an XML file can be read using common sense or domain knowledge. The last one is knowledge about the product or service being offered.

It is very important to write the end tag.

<heap>pasta chocolate milk

would be converted to a heap of pasta, chocolate, and milk. This is a tough one to imagine. Even for me.

Maybe Mister Grey would have intended a heap of pasta, a heap of chocolate, and a cup of milk.

This would lead to the following code:

<heap>pasta</heap>
<heap>chocolate</heap>
<cup>milk</cup>

Even a kid can imagine these things.

Stumbling over XML

The following story is based on a real story. All references to real companies have been changed.

During a regression test I was requested to look at the audit log. So I opened the VIP Cinema app and bought a ticket for Monsters Unlimited, Potato chips, and a Cola.

My next step was to look at the audit log. I opened the file and saw plain English. So it was easy to understand. It contained my movie ticket, my snack, and my drink.

Being curious I scrolled down. The se­­­­cond part of the file contained XML or Extensible Markup Language. And my head filled with one big question mark.

<item>
  <qty>1</qty>
  <name>potato chips</name>
  <remarks></remarks>
</item>
<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks></remarks>
</item>

At least I recognized my bought items. I ordered 1 cola. The quantity is 1, so qty is short for quantity. So the quantity is shown between <qty> and </qty>.

Now I had an audit log with the first part in plain English and the second part in XML. It looked like that the XML was translated to plain English for the audit. If an auditor would read this, then she or he would understand what happened.

I wanted to test my assumption, that the XML was translated to plain English.

Info about nesting XMl elements

There is a problem with the heaps of pasta. It looks nice, but people would like to have a box or bag containing pasta. Mister Grey being minimalistic again wanted to make a grey paper box. The colour grey was chosen was for an obvious reason.

<box>pasta</box>

This XML code is quite confusing. What does the box contain actually? What is the weight of the content of the box? What are the ingredients?

This could lead to the following XML code

<box>pasta</box>
<weight>230 gram</weight>
<ingredients>flour, salt, water, cheese, tomato sauce, pepperoni</ingredients>

Looking at the shelf I would expect to see a box, a weight, and ingredients. But there is only a box on the shelf.

In XML it is possible to nest elements in other elements. E.g. on the box a name of the product, a weight, and ingredients are shown.

<box>
  <name>pasta</name>
  <weight>230 gram</weight>
  <ingredients>flour, salt, water, cheese, tomato sauce, pepperoni</ingredients>
</box>

SQL Injection

My Inner Exploratory Tester woke up. I looked at the code and saw <remarks>. Remarks are used for extra information, which contains requests from the customer.

I would like my Cola in a special cup by adding “a cup with a blue furry print” in the Remarks field.

SQL or Structured Query Language is frequently used language to change data. My order would be like:
“Computer, add 1 ticket for Monster Unlimited, 1 Potato chips, and 1 Cola to my order.”

Remarks can also be used by hackers for bad things. I remembered SQL injection. A hacker could add the command in the Remarks Field:
“Computer, add 1 lemonade to my order.”
On my arrival in the cinema I get a free lemonade. This is SQL injection in a nutshell.

SQL injection is adding SQL code which will add wrong information to the system. In turn this can be misused.

SQL is a language like XML. So the injection should also be possible with XML.

Info about adding code

This was the code I would like to modify.

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks></remarks>
</item>

If I would enter “XML code” in the Remarks field, then the following code would be generated:

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>XML code</remarks>
</item>

Now I used known XML code to put in the Remarks field. This piece of code has the right structure.

<item>
  <qty>2</qty>
  <name>potato chips</name>
  <remarks></remarks>
</item>

If I would put the XML code for the potato chips in the remarks element of the cola, then I would get something like:

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
    <item>
      <qty>2</qty>
      <name>potato chips</name>
      <remarks></remarks>
    </item>
  </remarks>
</item>

The program would try to match begin tags with end tags.

If an end tag is found, then it will be matched with the corresponding begin tag before it.
A simple case is the following line:

<qty>1</qty>

</qty> is an end tag. The first begin tag is <qty>. qty or quantity is 1, because 1 is between the <qty> and </qty>.

Now it was time to match <item> with the right </item>.

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
    <item>
      <qty>2</qty>
      <name>potato chips</name>
      <remarks></remarks>
    </item>
  </remarks>
</item>

The code had 2 elements: an element about cola and an element about potato chips. Let me try to tell me what this means: 1 cola has remarks containing 2 potato chips. This looked promising. Let’s have a closer look at the Remarks element of the cola Item element.

 <remarks>
  <item>
    <qty>2</qty>
    <name>potato chips</name>
    <remarks></remarks>
  </item>
</remarks>

Is it possible that a Remarks element has a nested item element?
Probably not. Most of the time this is bad syntax and the XML code will not be processed. A Remarks field should contain text and should not nest elements in XML.

Info about writing the proper code

This section has been added to illustrate my train of thoughts which took a few seconds during the test. It took me some time to get the experience for writing the XML code.

What I wanted to order

For my test I wanted to change the XML code. I really wanted to have this piece of XML code in the audit log:

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
  </remarks>
</item>
<item>
  <qty>1</qty>
  <name>lemonade</name>
  <remarks>
  </remarks>
</item>

My first order attempt

A Remarks field can contain text. So the first line in the remarks field would be </remarks>. I marked this with the line:

<!-- Begin added code -->

This is a XML comment with the text ” Begin added code “. A program which processes XML code, will ignore this line. Comments are useful for programmers and testers.

<item>
<qty>1</qty>
  <name>cola</name>
  <remarks>
  <!-- Begin added code -->
  </remarks>
</item>
<item>
  <qty>1</qty>
  <name>lemonade</name>
  <remarks>
  </remarks>
</item>

Time for trial and error. I had to select a piece of code, I picked the line before to the line with a remarks begin tag. I marked this with the line <!– End added code –>. This is also an XML comment.

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
    <!-- Begin added code -->
  </remarks>
  </item>
  <item>
    <qty>1</qty>
    <name>lemonade</name>
    <!-- End added code -->
    <remarks>
    </remarks>
</item>

My thought was to put the following text in the Remarks field:

<!-- Begin added code -->
  </remarks>
  </item>
  <item>
    <qty>1</qty>
    <name>lemonade</name>
    <!-- End added code -->
</item>

In turn this should lead to the following code:

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
    <!-- Begin added code -->
  </remarks>
  </item>
  <item>
    <qty>1</qty>
    <name>lemonade</name>
    <!-- End added code -->
    <remarks>
    </remarks>
</item>

But the generated code was different:

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
  <!-- Begin added code -->
  </remarks>
  </item>
  <item>
    <qty>1</qty>
    <name>lemonade</name>
    <!-- End added code -->
  </remarks>
</item>

I noticed that <remarks> under the line <!– End added code –> was not contained in the generated code. I counted only 1 <remarks> instead of 2 <remarks> or begin remarks tag.

At that moment there was only 1 proper pair of <remarks> and </remarks>. This was wrong. For good XML code the number of begin tags is equal to the number of end tags.

My second order attempt

Another trial and error. I could choose the line before the line with the end tag of remarks.

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
  <!-- Begin added code -->
  </remarks>
  </item>
  <item>
    <qty>1</qty>
    <name>lemonade</name>
    <remarks>
   <!-- End added code -->
  </remarks>
</item>

A simple way to determine whether the XML code is right, that the piece of code has the same number of end tags as the number of begin tags:

<!-- Begin added code -->
</remarks>
</item>
<item>
  <qty>1</qty>
  <name>lemonade</name>
  <remarks>
<!-- End added code -->

For people with more time on their hands, there are other ways to derive the code.

XML injection in action

Because of the desert scene of Monsters Unlimited, visitors usually order extra drinks. I had the right XML code for this purpose:

<!-- Begin added code -->
</remarks>
</item>
<item>
  <qty>1</qty>
  <name>lemonade</name>
  <remarks>
<!-- End added code -->

In order to show the use of this code I added the XML comment with “Begin added code” or <!– End added code –>.

I placed this code in the Remarks field of my Cola order and the App made the following XML code:

<item>
  <qty>1</qty>
  <name>cola</name>
  <remarks>
  <!-- Begin added code -->.
  </remarks>
</item>
<item>
  <qty>1</qty>
  <name>lemonade</name>
  <remarks>
  <!-- End added code -->.
  </remarks>
</item>

This XML injection led to the following piece in plain English in the audit trail:
1 cola
1 lemonade

I was quite pleased with my successful data manipulation on my first try. For the price of 1 cola I got 1 cola and 1 lemonade according the audit log. Two drinks for the price of one.

In the cinema I only would get a cola. This was the only drink in my order. The lemonade mentioend in the remarks was not included in the order. But a lemonade was still in the audit log.

What is the deal?
In this case someone would have a lemonade for free. The drink was already included in the log.

What would happen, if an expensive collectible gold cup is added to my order?
Someone could take this cup home for free. One cup for the price of none.

Solutions to prevent XML injection

As a tester I had two solutions:

  1. Limit the number of characters in the Remarks field.
    This way the bad XML code would be reduced or even prevented.
  2. Train the employees of the cinema.
    If they could detect strange text in the Remarks field, then there was a chance on an attack of a hacker.

The developers were quite strict: prevent the use of < and > in the Remarks field.

If you use a screen reader, please set the screen reader to the normal reading mode.

Summary

Data is not about what is stored, but how it is used,

XML injection is adding XML code which will add wrong information to the system. In turn this can be misused.

Learning, Legal, Privacy, Programming, Secure things, Techies conferring

The Clokie Project

In December 2018 Katherina Clokie, a known speaker, announced to look more outside the Tester community.

My reaction

Amazement, grief.

After a few months I realised that it was not a bad idea.

My change of heart

My wife has some really tough questions I have to answer. The biggest one is:
“What did you learn?”
Right behind each test conference.

So I reduced my number of test conferences and number of hours at the conferences. There are still some really good conferences like TestBash, Agile Testing Days, and European Testing Conference with plenty of awesome few insights.

I attended a lot of other conferences and after a while I would be just happy to pick up something new.

There is more to gain at a conference if you only know the basics. With more than 20 years of experience it is a way less.

It was time for my Clokie project.


Time for a small flashback to October and November 2018. I already had looked outside the Test Community.

Here are some notes from Infosecurity 2018:
In case of doubt treat data as personal data. Zip code and house number are personal data.

In EU there are several privacy government organisations, but they have different focus on privacy issues.

Steps in case of data breach:
Secure proof
Look in the logging
Determine scope
Communicate
Remediate
Learn

A change of behaviour can indicate an identity theft.

The way of accessing data in the cloud is the weakest link.

In GDPR, the European Privacy Law, a penalty is used to let the company feel the pain instead of putting a company out of business.

GDPR is not applicable for dead persons. But there can be other laws which are applicable for dead persons.

Meet the expos

How to attract people to an expo? Goodies, free access, and talks.

Some Healthcare and ICT notes of me in random order
Anonymize pictures, determine objects of interest, and annotate them using smart software.

First step is vision and then involve stakeholders like care providers, health insurers, and suppliers.

Patient panel discovered that 60 % of the patients want a personal health environment.

Care providers like hospitals and doctors are stimulated. They get money on basis of results and not on actions taken.

Law of customer’s rights. E.g. A care provider should only get information which is needed for the care to be provided.

Misconfiguration is becoming the weakest point in defense.

Meet the meetups

010dev is a small meetup in Rotterdam. It has Dutch characteristics like gezellig (cosy) and Buy Own Drink. It is in a pub after all. Once in a whole while it is in a company.

During my meetups there are no lectures, but I still listened a lot. As a tester was I am able to follow the small talk and tech talk?

In a few hours a lot of subjects passed. Programming languages, projects, and new trends were discussed. Somehow I could understand bits and pieces.

Developers.nl had a more traditional format for the meetup: free drinks, free meals, and free lectures.

I went to two meetups. The first one was abstract. It was about architecture. What are good guiding principles to set up a complex environment?

The second meetup was about vue.js. This was a challenging one. I had only basic knowledge about JavaScript and HTML. So I read some ebooks about vue.js which are based on these languages.

This talk was more understandable for me. The speaker shared some tips about vue.js.

How to speed up the performance by loading the needed content in 2 stages? First the necessary stuff was loaded for the web page. The rest followed while the user had a first impression of the page.

Looking under the hood

My blog has been made with WordPress. One day I was blogging and a conference in Rotterdam was announced in the dashboard.

There were some particular benefits: 25 Euro for a ticket including lunch, an environment friendly environment, meeting other WordPress users, short traveling distance.

As a tester I had not had a chance to attend a talk about accessibility. I honestly don’t understand this.

This conference offered more talks about this subject than I could process. I skipped the last ones.

Another interesting subject was security headers. It is possible to make WordPress secure. I was thinking that a header only contained some information.

For the interested reader have a look at my conference digest mind map.

Finishing thoughts

Retro: did I learn more than previous years?
Yes.

But what did I pick up in those previous years?
Mostly subjects related to programming and law. Less about testing.

Just made me think.


On Twitter Trish Koo placed a thought provoking tweet. In order to become better in software development  you have to learn both testing and programming.

Legal, Privacy, Secure things

GDPR – The forgotten tests – Test 3

[Update July 30rd 2019] the last weeks I did some research and discovered that my advice was wrong. So I removed it.

My initial take was to describe a situation, that was not GDPR compliant. But I was wrong, so I wrote down the latest status .

This blog post is about the mysterious status code 451. It still contains some really interesting information.

[End update July 30rd 2019]

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

Experience report

This is my way to reflect on my research in GDPR of the last months. It took me lots of hours.

If I missed a legal or W3C link, you can always contact me. I am happy to update this blog post.

This spring I prepared a workshop about blogging. I tweeted about the use of sketch notes to find fieldstones. It got attention from @ConstanceHermit and Mike Rohde.

Mike had a familiar name. I bought his book about sketch noting.
He asked me for a sketch note for testing. OK. Wow. WOW.
Sure no problem.

I only had to wait for a good opportunity to put his request in practice. After a few months I saw a tweet about code on a web page:
“451: the website cannot be shown because of legal reasons.”

I visualised some scenarios and found some problems in the chosen solution. In case of impatience you can skip to the end of the article for the sketch notes. Be my guest.

Numbers are fast to communicate. If people want a pizza and call numbers, then I can go to the website and just enter the called numbers.

A pizza menu was used to abbreviate the pizza names: 16 is pizza Salami, etc. This way a protocol was set up.

The internet Hypertext Transfer Protocol is used for web sites. Status codes like 451 provide information to the user.

The problem with being a tester is to make an understandable message. This is quite hard. It is like telling how a car works without using names of car parts. I wanted to put 451 in the sketch note, but that was intimidating. I also skipped flow diagrams.

I also wanted to show off with test techniques. This was again: Not done. This is only nice for testers, but this is no good for people unfamiliar with testing. I can guarantee you that their number is way bigger than the number of testers.

Several drafts later.
One sketch note became 2 sketch notes. First I drew with a dark marker, then I used other markers for more details.

Then I set a new deadline for myself. I would use the sketch notes in a presentation. If a speaker could not make it at the test conference a week later, then I would volunteer. GDPR is still interesting stuff for testers. In legal terms it is good for the public interest.

Now I had to check my picture. And I hit the wall. It hurt.
Access is denied to the website because of tracking without consent

451 was used for legal demands. I clicked on the link to the official request to add an extra code to the HTTP protocol.
This looked pretty official.

In this case the ministry of justice contacted the internet service provider, which in turn shows a 451 to the user. Sorry access denied.

So this was not about web sites silencing themselves.
So all the hours spent were for nothing. I lost hours of work. I felt miserable. This is part of research.

The weekend before the test conference I looked on the internet. This time I searched on 451 and GDPR. The blog post ‘Is http 451 suitable for GDPR blocking?’ popped up.

So I started my due diligence.

Is it right
What I write?

The author is Terence Eden. That was the guy who had the idea for 451. I looked again in the official proposal for 451. Terence was mentioned. So my sketch note was almost good.

So I only had to change the picture. And I was all set.
Access is sometimes denied to the website because of tracking without consent
I shared my deadline with my kids and they talked about it the next days.

The evening before the conference I checked my sketch note about citizenship. GDPR was quite vague:
“Data subjects who are in the EU” [Article 2]

I could not find something about nationality. So a Dutchman in his own country is a data subject in EU. But a Dutchman in the US is not a data subject in the EU. Did I miss something?

So again I was facing a legal problem in my sketch note.

I used my search engine and found several answers on my question: is it possible to track EU citizens outside the EU?
On Quora there was majority in favour for not tracking. One legal looking website had a complex advice with lots of conditions.

Law is not about democracy, but about sticking to the rules.
Basically I hit the wall again.

Now I am a Dutchman. The big advantage is that the number of Dutch web pages is lower than the number of English web pages.

I entered several Dutch words in my search engine and I found an official web page
“Bedrijven buiten de EU die gegevens van EU-burgers verwerken, moeten een vertegenwoordiger in de EU aanwijzen.”

Please allow me to translate this in English by using the language button on the page:
“Non-EU based businesses processing EU citizen’s data have to appoint a representative in the EU.”

These are the first 2 times I found “EU citizen” on the official EU website pointing to GDPR.
“Is this legal stuff for the court?”
“Sorry no.”
“Really?”

There is a legal notice in the footnote containing a disclaimer. So I am quoting from an interpretation of the EU of GDPR. GDPR is leading and not the interpretation.

The day before first publication date I read article 2 again:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  • (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

The location of the home of the user was not enough. Again I was trying to attempt to tweak this blog post.

Wait. In 2 (a) I found an interesting exception clause. What if an American shop offers products in the EU.
So I drew a shop in the EU.

Okay, here are the promised sketch notes. Sorry for the lengthy introduction.

In the first sketch note I point out that the web site uses the location of the laptop to identify an EU citizen. But this is different from GDPR. The nationality of the user and the location of the shop should be used instead.

Sketch note showing that a web site is denying access based on location instead of nationality and location shop because of tracking.

In the second sketch note there are two situations, which were not intended by the web site owner.

An American cannot access a website in the office in the EU. But GDPR is not applicable.

Suppose your American colleague comes to Germany to help you a hand. Then he wants to go to a website with an expensive subscription. It is not possible: 451. The web site owner will probably state something about GDPR. Hopefully a disclaimer was added for this case.

Looking at GDPR there is no violation. So no privacy penalties are involved.

The second sketch note is really worrying, because an EU citizen is tracked during her or his holidays in the US.

[Update July 30rd 2019]

My interpretation of GDPR  was, that this was not allowed.

This spring I heard that it was possible to track the behaviour of European citizens outside the European Union. I filed it for later research. Last month I did some research for my workshop about GDPR. In a blog post it was again stated that behaviour outside the EU could be tracked.

Use the source, Luke

So I searched in the original law text in English. Then I switched over to Dutch and I found an article stating the tracking possibility.

As a tester I immediately started to look for other loop holes.

What about an European tourist in an European embassy in the US? If I would go to an embassy, then I need some help. As a Dutch citizen I would go to the Dutch embassy which is based on Dutch territory.

In this paragraph I made a lot of assumptions, which I had to verify one by one.

I am Dutch. I have a passport, so this is true. The same for a Dutch embassy in the USA.

The 451 status code is given based on an IP address. In plain language every internet device has an address on the internet. If I ask for some information, this info should be sent to my phone and not to a laptop 3 towns away. According to me using 451 status code based on location is highly plausible.

It is not possible to determine, whether the smartphone is in an embassy. For an internet provider it is possible to determine the longitude and latitude of a smartphone. If this is exact enough, I have some doubts.

The IP address of my smartphone does not change. This assumption is wrong. The set of IP addresses for a region of the world is fixed. If I go to the US, then I get another IP address. So a fixed IP address for a smartphone all over the world is not true.

The final assumption was, that the Dutch embassy is based on Dutch territory. This is not true. More important it is to determine which law applies.  It is the law of the host as stated  in article 21 of the Vienna Convention of Diplomatic Relations.

[End update July 30rd 2019]

Tips for testing

  • Go as close to the source as possible.
    Read GDPR or find interpretation of the law given by the legislator or representative.
  • Check and double check information and sources.
  • Gamify testing by using different tools.
    I used sketch notes, mind maps, and the internet.
  • Get used to hitting the wall.

Note about experience report

This is my experience report about GDPR testing. I ran in some problems, but I was able to resolve them. I could just skip the problems encountered, but you, the reader, could get a false impression. Learning is stumbling and standing up. And walking again.